Using Service Auth for Gitea Access via Git Client + Cloudflare Tunnel

previous, I added a Cloudflare Zero Trust Application Access for my gitea with a one-time password, but when I use a git client to push code, it redirects me to Cloudflare Tunnel with a one-time password

Problem

So, in this blog, I want to create a Service Auth to ByPass access to Gitea, if I have a special key. Otherwise, it redirects to Cloudflare Tunnel with a one-time password

Solution

Set up Gitea + Cloudflare Zero Trust Application Access

If you have already setup Gitea + Cloudflare Zero Trust Application Access. You can go to step setup Create Service Auth (For Git Client to Access)

🛡️ Set up Gitea

For Gitea, which I chose to use because GitLab was consuming more and more resources, and in newer versions, some features were moved to paid tiers. Compared to the First GitLab version I was using, which was probably version 13, For investigated a problem with the Root user breaking the branch protection rule issues, so I used it for a long time until I changed machines, the last is 17.4.

Now 2025, I moved my homelab to Synology NAS, so I chose Gitea because it's lightweight and has the Merge Approval feature that disappeared from GitLab.

I have a Docker Compose file ready for deployment (I use it on my Synology NAS)

For documentation about Gitea installation details, please go to Gitea - Installation

🛡️ Check Authentication on Cloudflare Zero Trust

Check Authentication on Cloudflare Zero Trust Trust Overview > Settings> Authentication

The default is Email One-Time Password, but you can set another method, such as Azure AD (Entra Id) / Open Id, etc.

🛡️ Add Application Policy

Zero Trust Overview > Access > Application

  • Add Application
  • Select Self-Hosted (In this case in run App Gitea on Synology)
  • Create you General Info
    - Config Name
    - Domain + Sub Domain + Path to Access

Next Add a Policy you can

  • create a new policy (Add Policy)
  • or use existing

Next, Select the Authentication Method (I use Email One-Time Password)

You can customize such as custom login page

📌 Test via Web Access, such as https://yourgitdomain
  • From the Gitea Login Page, redirected to the Cloudflare Access Page
  • Cloudflare will send a one-time password
  • Enter one-time password, if the correct code is entered, you will be redirected to the Gitea Login Page. Enter your Gitea Username + Password. You will see a dashboard

But when using Git Client to push code. I required a One-Time Password like this

PS D:\0gitea\ollama-traefik-letsencrypt-docker-compose> git push
fatal: unable to update url base from redirection:
   asked for: https://gitea.youdomain.example/samplegitusr/ollama-traefik-letsencrypt-docker-compose.git/info/refs?service=git-receive-pack
   redirect: https://xxxxxxxx.cloudflareaccess.com/cdn-cgi/access/login/gitea.youdomain.example?kid=33FQu...&redirect_url=%2Fsamplegitusr%2Follama-traefik-letsencrypt-docker-compose.git%2Finfo%2Frefs%3Fservice%3Dgit-receive-pack

Create Service Auth (For Git Client to Access)

So, in this blog, I want to create a Service Auth to ByPass access to Gitea, if I have a special key. Otherwise, it redirects to Cloudflare Tunnel with a one-time password

Solution
🛡️ Create Service Auth
  • Cloudflare Zero Trust Dashboard > Access > Service Auth > Create Service
  • Save CF-Access-Client-Id / CF-Access-Client-Secret, for adding in the git client
🛡️ Create a ByPass Policy
  • Cloudflare Zero Trust Dashboard > Access > Policies > Add Policies
  • Create a ByPass for Gitea with condition Service Auth (gitea)
🛡️ Add Cloudflare Zero Trust Application Access
  • Cloudflare Zero Trust Dashboard > Access > Applications > Add an application > Self-hosted
  • Set Gitea Domain
  • Add Policy First
    1. ByPass Policy (Service Auth)
    2. One-Time Password, if the ByPass Policy does Not Match
🛡️Configure your git config with the Service Auth header

Run the following command to tell git client to add an extra header with the Gitea URL

git config --global --add http.https://yourgitdomain/.extraHeader "CF-Access-Client-Id: CF_Service_Auth_Access"
git config --global --add http.https://yourgitdomain/.extraHeader "CF-Access-Client-Secret: CF_Service_Auth_Access_Secret"
📌 Test

Reference


Discover more from naiwaen@DebuggingSoft

Subscribe to get the latest posts sent to your email.